SKALE-2002 replace sgx seal/unseal with aes encryption/decryption

54824dc0 · Oleh Nikolaiev · 9c21e3b9 · 54824dc0 · 54824dc0 · 54824dc0
Unverified Commit 54824dc0 authored Jun 05, 2020 by Oleh Nikolaiev
Showing with 26 additions and 97 deletions

BLSCrypto.cpp BLSCrypto.cpp +1 -5

DKGCrypto.cpp DKGCrypto.cpp +14 -48

ECDSACrypto.cpp ECDSACrypto.cpp +9 -36

secure_enclave.c secure_enclave/secure_enclave.c +2 -1

testw.cpp testw.cpp +0 -7

No files found.
--- a/BLSCrypto.cpp
+++ b/BLSCrypto.cpp
@@ -290,11 +290,7 @@ bool sign_aes(const char *_encryptedKeyHex, const char *_hashHex, size_t _t, siz
 bool bls_sign(const char *_encryptedKeyHex, const char *_hashHex, size_t _t, size_t _n, size_t _signerIndex,
              char *_sig) {
-    if (!encryptKeys) {
+    return sign_aes(_encryptedKeyHex, _hashHex, _t, _n, _signerIndex, _sig);
-        return sign(_encryptedKeyHex, _hashHex, _t, _n, _signerIndex, _sig);
-    } else {
-        return sign_aes(_encryptedKeyHex, _hashHex, _t, _n, _signerIndex, _sig);
-    }
 }
 char *encryptBLSKeyShare2Hex(int *errStatus, char *err_string, const char *_key) {

--- a/DKGCrypto.cpp
+++ b/DKGCrypto.cpp
@@ -83,10 +83,8 @@ string gen_dkg_poly(int _t) {
    uint32_t enc_len = 0;
-    if (!encryptKeys)
+    status = trustedGenDkgSecretAES(eid, &errStatus, errMsg.data(), encrypted_dkg_secret.data(), &enc_len, _t);
-        status = trustedGenDkgSecret(eid, &errStatus, errMsg.data(), encrypted_dkg_secret.data(), &enc_len, _t);
-    else
-        status = trustedGenDkgSecretAES(eid, &errStatus, errMsg.data(), encrypted_dkg_secret.data(), &enc_len, _t);
    if (errStatus != 0) {
        throw SGXException(-666, errMsg.data());
    }
@@ -95,9 +93,7 @@ string gen_dkg_poly(int _t) {
    spdlog::debug("in DKGCrypto encr len is {}", enc_len);
    uint64_t length = DKG_MAX_SEALED_LEN;
-    if (encryptKeys) {
+    length = enc_len;
-        length = enc_len;
-    }
    vector<char> hexEncrPoly(2 * length + 1, 0);
    CHECK_STATE(encrypted_dkg_secret.size() >= length);
@@ -127,26 +123,16 @@ vector<vector<string>> get_verif_vect(const char *encryptedPolyHex, int t, int n
        throw SGXException(INVALID_HEX, "Invalid encryptedPolyHex");
    }
    spdlog::debug("hex_encr_poly length is {}", strlen(encryptedPolyHex));
    spdlog::debug("enc len {}", encLen);
+    status = trustedGetPublicSharesAES(eid, &errStatus, errMsg1.data(), encrDKGPoly.data(), encLen,
+                                        pubShares.data(), t, n);
-    uint32_t len = 0;
-    if (!encryptKeys)
-        status = trustedGetPublicShares(eid, &errStatus, errMsg1.data(), encrDKGPoly.data(), len, pubShares.data(), t,
-                                        n);
-    else {
-        status = trustedGetPublicSharesAES(eid, &errStatus, errMsg1.data(), encrDKGPoly.data(), encLen,
-                                            pubShares.data(), t, n);
-    }
    if (errStatus != 0) {
        throw SGXException(-666, errMsg1.data());
    }
    spdlog::debug("err msg is {}", errMsg1.data());
    spdlog::debug("public_shares:");
@@ -179,11 +165,7 @@ string trustedGetSecretShares(const string &_polyName, const char *_encryptedPol
        throw SGXException(INVALID_HEX, "Invalid encryptedPolyHex");
    }
+    status = trustedSetEncryptedDkgPolyAES(eid, &errStatus, errMsg1.data(), encrDKGPoly.data(), &encLen);
-    if (!encryptKeys)
-        status = trustedSetEncryptedDkgPoly(eid, &errStatus, errMsg1.data(), encrDKGPoly.data());
-    else
-        status = trustedSetEncryptedDkgPolyAES(eid, &errStatus, errMsg1.data(), encrDKGPoly.data(), &encLen);
    if (status != SGX_SUCCESS || errStatus != 0) {
        throw SGXException(-666, errMsg1.data());
@@ -206,13 +188,9 @@ string trustedGetSecretShares(const string &_polyName, const char *_encryptedPol
        spdlog::debug("pubKeyB is {}", pub_keyB);
+        trustedGetEncryptedSecretShareAES(eid, &errStatus, errMsg1.data(), encryptedSkey.data(), &decLen,
-        if (!encryptKeys)
-            trustedGetEncryptedSecretShare(eid, &errStatus, errMsg1.data(), encryptedSkey.data(), &decLen,
                                           currentShare.data(), sShareG2.data(), pubKeyB.data(), _t, _n, i + 1);
-        else
-            trustedGetEncryptedSecretShareAES(eid, &errStatus, errMsg1.data(), encryptedSkey.data(), &decLen,
-                                               currentShare.data(), sShareG2.data(), pubKeyB.data(), _t, _n, i + 1);
        if (errStatus != 0) {
            throw SGXException(-666, errMsg1.data());
        }
@@ -261,11 +239,7 @@ verifyShares(const char *publicShares, const char *encr_sshare, const char *encr
    memset(pshares, 0, 8193);
    strncpy(pshares, publicShares, strlen(publicShares));
+    trustedDkgVerifyAES(eid, &errStatus, errMsg, pshares, encr_sshare, encr_key, decKeyLen, t, ind, &result);
-    if (!encryptKeys)
-        trustedDkgVerify(eid, &errStatus, errMsg, pshares, encr_sshare, encr_key, decKeyLen, t, ind, &result);
-    else
-        trustedDkgVerifyAES(eid, &errStatus, errMsg, pshares, encr_sshare, encr_key, decKeyLen, t, ind, &result);
    if (result == 2) {
        throw SGXException(INVALID_HEX, "Invalid public shares");
@@ -296,11 +270,7 @@ bool CreateBLSShare(const string &blsKeyName, const char *s_shares, const char *
    uint32_t enc_bls_len = 0;
+    trustedCreateBlsKeyAES(eid, &errStatus, errMsg, s_shares, encr_key, decKeyLen, encr_bls_key, &enc_bls_len);
-    if (!encryptKeys)
-        trustedCreateBlsKey(eid, &errStatus, errMsg, s_shares, encr_key, decKeyLen, encr_bls_key, &enc_bls_len);
-    else
-        trustedCreateBlsKeyAES(eid, &errStatus, errMsg, s_shares, encr_key, decKeyLen, encr_bls_key, &enc_bls_len);
    if (errStatus != 0) {
@@ -336,10 +306,8 @@ vector<string> GetBLSPubKey(const char *encryptedKeyHex) {
    char pubKey[320];
    spdlog::debug("decKeyLen is {}", decKeyLen);
-    if (!encryptKeys)
+    trustedGetBlsPubKeyAES(eid, &errStatus, errMsg1, encrKey, decKeyLen, pubKey);
-        trustedGetBlsPubKey(eid, &errStatus, errMsg1, encrKey, decKeyLen, pubKey);
-    else
-        trustedGetBlsPubKeyAES(eid, &errStatus, errMsg1, encrKey, decKeyLen, pubKey);
    if (errStatus != 0) {
        spdlog::error(string(errMsg1) + " . Status is  {}", errStatus);
        throw SGXException(ERROR_IN_ENCLAVE, "Failed to get BLS public key in enclave");
@@ -377,10 +345,8 @@ string decryptDHKey(const string &polyName, int ind) {
    char DHKey[ECDSA_SKEY_LEN];
-    if (!encryptKeys)
+    trustedDecryptKeyAES(eid, &errStatus, errMsg1.data(), encryptedDHKey, dhEncLen, DHKey);
-        trustedDecryptKey(eid, &errStatus, errMsg1.data(), encryptedDHKey, dhEncLen, DHKey);
-    else
-        trustedDecryptKeyAES(eid, &errStatus, errMsg1.data(), encryptedDHKey, dhEncLen, DHKey);
    if (errStatus != 0) {
        throw SGXException(/*ERROR_IN_ENCLAVE*/ errStatus, "decrypt key failed in enclave");
    }

--- a/ECDSACrypto.cpp
+++ b/ECDSACrypto.cpp
@@ -67,17 +67,9 @@ vector <string> genECDSAKey() {
    uint32_t enc_len = 0;
-//    status = trustedGenerateEcdsaKeyAES(eid, &errStatus,
+    status = trustedGenerateEcdsaKeyAES(eid, &errStatus,
-//                                        errMsg.data(), encr_pr_key.data(), &enc_len,
+                                        errMsg.data(), encr_pr_key.data(), &enc_len,
-//                                        pub_key_x.data(), pub_key_y.data());
+                                        pub_key_x.data(), pub_key_y.data());
-    if (!encryptKeys)
-        status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encr_pr_key.data(),
-                                         &enc_len, pub_key_x.data(), pub_key_y.data());
-    else
-        status = trustedGenerateEcdsaKeyAES(eid, &errStatus,
-                                            errMsg.data(), encr_pr_key.data(), &enc_len,
-                                            pub_key_x.data(), pub_key_y.data());
    if (status != SGX_SUCCESS || errStatus != 0) {
        spdlog::error("RPCException thrown with status {}", status);
@@ -119,15 +111,9 @@ string getECDSAPubKey(const char *_encryptedKeyHex) {
        throw SGXException(INVALID_HEX, "Invalid encryptedKeyHex");
    }
-//    status = trustedGetPublicEcdsaKeyAES(eid, &errStatus,
+    status = trustedGetPublicEcdsaKeyAES(eid, &errStatus,
-//                                         errMsg.data(), encrPrKey.data(), enc_len, pubKeyX.data(), pubKeyY.data());
+                                         errMsg.data(), encrPrKey.data(), enc_len, pubKeyX.data(), pubKeyY.data());
-    if (!encryptKeys)
-        status = trustedGetPublicEcdsaKey(eid, &errStatus, errMsg.data(), encrPrKey.data(), enc_len, pubKeyX.data(),
-                                          pubKeyY.data());
-    else
-        status = trustedGetPublicEcdsaKeyAES(eid, &errStatus,
-                                             errMsg.data(), encrPrKey.data(), enc_len, pubKeyX.data(), pubKeyY.data());
    if (errStatus != 0) {
        throw SGXException(-666, errMsg.data());
    }
@@ -205,24 +191,11 @@ vector <string> ecdsaSignHash(const char *encryptedKeyHex, const char *hashHex,
    pubKeyStr = getECDSAPubKey(encryptedKeyHex);
-//    status = trustedEcdsaSignAES(eid, &errStatus,
+    status = trustedEcdsaSignAES(eid, &errStatus,
-//            errMsg.data(), encryptedKey.data(), decLen, (unsigned char *) hashHex,
+            errMsg.data(), encryptedKey.data(), decLen, (unsigned char *) hashHex,
-//                                 signatureR.data(),
+                                 signatureR.data(),
-//                                 signatureS.data(), &signatureV, base);
+                                 signatureS.data(), &signatureV, base);
-    if (!encryptKeys) {
-        status = trustedEcdsaSign(eid, &errStatus, errMsg.data(),
-                 encryptedKey.data(), ECDSA_ENCR_LEN, (unsigned char *) hashHex,
-                                  signatureR.data(),
-                                  signatureS.data(), &signatureV, base);
-    } else
-        status = trustedEcdsaSignAES(eid, &errStatus,
-                errMsg.data(), encryptedKey.data(), decLen, (unsigned char *) hashHex,
-                                     signatureR.data(),
-                                     signatureS.data(), &signatureV, base);
    if (errStatus != 0) {
        exception = make_shared<SGXException>(666, errMsg.data());
        goto clean;

--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -1103,7 +1103,7 @@ void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPriv
        return;
    }
-    //skey[enc_len - SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE - 1] = '\0';
+    skey[enc_len - SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE] = '\0';
    snprintf(errString, BUF_LEN, "pr key is %s length %d ", skey, strlen(skey));
    mpz_t privateKeyMpz;
@@ -1111,6 +1111,7 @@ void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPriv
    if (mpz_set_str(privateKeyMpz, skey, ECDSA_SKEY_BASE) == -1) {
        *errStatus = -1;
        snprintf(errString, BUF_LEN, "invalid secret key");
+        LOG_ERROR(skey);
        mpz_clear(privateKeyMpz);
        domain_parameters_clear(curve);

--- a/testw.cpp
+++ b/testw.cpp
@@ -421,16 +421,11 @@ TEST_CASE_METHOD("BLS key encrypt/decrypt", "[bls-key-encrypt-decrypt]") {
 TEST_CASE_METHOD(TestFixture, "ECDSA key gen API", "[ecdsa-key-gen-api]") {
    HttpClient client(RPC_ENDPOINT);
    StubClient c(client, JSONRPC_CLIENT_V2);
    for (int i = 0; i <= 20; i++) {
        try {
            Json::Value genKey = c.generateECDSAKey();
            REQUIRE(genKey["status"].asInt() == 0);
@@ -442,13 +437,11 @@ TEST_CASE_METHOD(TestFixture, "ECDSA key gen API", "[ecdsa-key-gen-api]") {
            REQUIRE(sig["status"].asInt() == 0);
            Json::Value getPubKey = c.getPublicECDSAKey(genKey["keyName"].asString());
            REQUIRE(getPubKey["status"].asInt() == 0);
        } catch (JsonRpcException &e) {
            cerr << e.what() << endl;
            throw;
        }
    }
 }
 TEST_CASE_METHOD(TestFixture, "BLS key encrypt", "[bls-key-encrypt]") {